dcrat | 8437edc3f8f074b70a5c2a83981daf4ba9828617accfadabfad531e0d3307ff2

Analysis

max time kernel
15s
max time network
21s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Rice Loader.exe
Size

1.7MB
MD5

eae85da30f643913cc1ba962a1722abe
SHA1

2df08a292d733d7d79aea9d7ae079c17964ec44b
SHA256

b2c7627cc1d7a6e016fbe97d2175a7e91240dba49d27f4fc7d43efbb2b9ca86f
SHA512

45d5df0d6e93658f7cd8b1efbb08fbef5fd27fbb675664820e1662443c7a55e678cb9a499ca96051954639ab52aceb9a812421146b21e171cc5a3dc51bcd7a85
SSDEEP

49152:UbA30N2Y6CbYeb0qVOOYYtz7Q/+XZZ8csL:UbZ6CbfaOffXq

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\bridgeRefdll\Cominto.exe	dcrat
behavioral1/memory/3364-14-0x0000000000AE0000-0x0000000000C54000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

Processes:

Cominto.exe

pid process

3364 Cominto.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

Rice Loader.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings Rice Loader.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Cominto.exe

description pid process

Token: SeDebugPrivilege 3364 Cominto.exe

pid	process
3364	Cominto.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings	Rice Loader.exe

description	pid	process
Token: SeDebugPrivilege	3364	Cominto.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

Rice Loader.exeWScript.execmd.exe

description	pid	process	target process
PID 3200 wrote to memory of 5092	3200	Rice Loader.exe	WScript.exe
PID 3200 wrote to memory of 5092	3200	Rice Loader.exe	WScript.exe
PID 3200 wrote to memory of 5092	3200	Rice Loader.exe	WScript.exe
PID 5092 wrote to memory of 4948	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4948	5092	WScript.exe	cmd.exe
PID 5092 wrote to memory of 4948	5092	WScript.exe	cmd.exe
PID 4948 wrote to memory of 3364	4948	cmd.exe	Cominto.exe
PID 4948 wrote to memory of 3364	4948	cmd.exe	Cominto.exe

C:\Users\Admin\AppData\Local\Temp\Rice Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Rice Loader.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3200

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\bridgeRefdll\Rc9TGyLvla1DCQfA.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\bridgeRefdll\7SErw3QqG8DR33ZHNVPlxU94MWk.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\bridgeRefdll\Cominto.exe
"C:\bridgeRefdll\Cominto.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\bridgeRefdll\7SErw3QqG8DR33ZHNVPlxU94MWk.bat
Filesize
29B

MD5
15618516fd39d3d2819d6a0c6b142a0c

SHA1
1dd8845bf120a1f0029a38937b84ff041c6fd7e7

SHA256
5c6f33da33e498e58632dfab994850eb80c21ba77fc03ad9687beae7b3c2529b

SHA512
ef4347ac6cfd4db86691c23a6e24555fa4237161a43bf8cbbc20af1682b977e3c3b8f6082c43e227f43ba246d862a3d1532a1e0b4ca96fa3d0e97c74f943c900

Download Submit
C:\bridgeRefdll\Cominto.exe
Filesize
1.4MB

MD5
2a7ba873c3ed2a5f4a916a7beb6d5159

SHA1
d6b7b52bfc1ddf88955905391820df5c498caaaf

SHA256
647de545941a931ef320c3f5e1ee70cb0d9acf1dcbdc20d9606f2b9dae4623f7

SHA512
f363372b9aefc87d3404b120bc7128550142adbd741838d23ec813ec159d971b4d0d5b8ccbbe89519aa7fa858cc0ce8ef97c3e50d0170dba763f216c51aca496

Download Submit
C:\bridgeRefdll\Rc9TGyLvla1DCQfA.vbe
Filesize
216B

MD5
4e39ee432ff2779f1b8222b52b0f49a2

SHA1
c9823817b7a8346f252bac98851eb2c7b0ddfdd3

SHA256
c181d4e95af2da2c5f5d17358fcfd746718a758e99be98b18919ee6786622f34

SHA512
02b058d78baf6d8a1e2616929aca836f28ec323b0aaaddcc4aba42ed99d96c868fd657aab46cd305d6108bf97675962d8f8c97fc67b4d1c80077dce9524ac2ed

Download Submit
memory/3364-14-0x0000000000AE0000-0x0000000000C54000-memory.dmp

Filesize
1.5MB

Download
memory/3364-15-0x0000000001600000-0x000000000160E000-memory.dmp

Filesize
56KB

Download